It varies significantly from organization to organization, but it will generally take at least multiple months to properly implement and set up for indefinite use. According to the U.S Navy, the process to achieve authorization usually takes anywhere between 6-18 months (It is worth noting that was in reference to RMF Rev. 1, not the current revision). This is because RMF is a very rigorous process, and many components require cybersecurity officials to perform administrative processes (partially due to a lack of graphical user interfaces).
However, what makes the time-consuming process of implementing RMF worth it is the fact that it is self-sustaining and doesn’t need to be repeated. The final step of the implementation process is to continuously monitor, which means that as long as an organization adheres to an approved monitoring strategy and is assessed regularly, they will stay authorized indefinitely.
